Overview of Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (VPC) is a service that allows creating a logically isolated section of the AWS Cloud. Consider this section as your private network that resides within AWS Cloud. You can launch various AWS resources within this network.

 

Key components of VPC

When you create VPC, following components are typically created as well to make VPC functional, or to extend its functionality:

  • Subnet – a sub-network within the VPC (defined by range of IP address, which is subset of CIDR range assigned to the VPC)
  • Route Table – a table that defines the rules to control network traffic
  • Internet Gateway – a Gateway attached to VPC to enable communication between VPC’s internal resources and the Internet
  • VPC Endpoint – a defined interface that allows VPC to communicate with supported AWS services

 


Key Points for VPC

  • VPC can span across multiple Availability Zones, but stay within single Region
  • VPC is highly available service
  • VPC may be connected to other VPC(s) or your private network (datacenter, office, etc.)
  • Subnet(s) are created inside VPC, and resources launched in these Subnet(s)
  • IP range allowed: Max CIDR: x.x.x.x/16 (65,536 IPs) and Min CIDR: x.x.x.x/28 (16 IPs)
    • you can bring your own pool of (public) IP addresses
  • There is a Default VPC for each Region

 

Default VPC

There is a default VPC created in your account the first time you provision EC2 resources.

  • Default VPC is for a specific Region. You can delete or recreated Default VPC in any region
  • It’s pre-configured with network settings and security allowing quick launch of most services
    • It is recommended to that you create new VPC that is tightly tuned (and secured) to your requirements
  • Configured CIDER of 172.31.0.0/16
  • One public Subnet is created in each Availability Zone (of the Region), configured with x.x.x.x/20 CIDR, and a public IP
    • Attached to Internet Gateway
    • Security Group – all traffic allowed (in and out)
    • NACL – all traffic allowed (in and out)

 


Limits and constraints:

  • Max of 5 VPCs per Account per Region
  • Max of 200 Subnets per VPC (you can raise ticket to request more)
  • Max of 5 VPC Elastic IPs per AWS Account per Region
  • Maximum one Internet Gateway per VPC
  • Maximum one Virtual Private Gateway per VPC

 

There are some key network components (AWS resources) that make VPC functional in meaningful manner:

  • IP addresses (CIDR range)
    • There are five reserved IPs – first four, and last one
  • Subnet
    • Subnet may be Public (Internet facing) or Private
    • In order for Subnet to be public, it must:
      • have a Public IP Address
      • associated with an Internet Gateway
      • a Route (in Route Table) allowing traffic to Internet Gateway
      • a NACL rule allowing traffic to Internet Gateway
      • a Security Group rule allowing traffic to Internet Gateway
    • A Subnet stays within one Availability Zone
  • Route Table
  • Gateways – Internet Gateway, NAT Gateway, Egress-only Internet Gateway
  • Security Group and NACL

 

Additionally, following components extend the use of VPC:

  • Virtual Private Gateway – allows VPN connectivity
  • Peering Connection – allows connecting another VPC and make use of communication using private IP addresses (rather than communicating over Internet)
  • VPC Endpoints – allows private connectivity with other AWS services

 


Pricing

There is no charge for VPC itself. You pay for the resources created inside VPC, and connection components (if used)

 


External Resources